Going 'virtual' introduces a whole new set of potential vulnerabilities

Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

Virtualization, in the business world, is a sound economic choice.Buying fewer pieces of hardware with more memory and larger disks, for running farms of virtual servers, makes more financial sense than buying hardware for each machine you need in your server environment. However, those server farms, while saving you money, may or may not conform to the rest of your security policy. You can't make the automatic assumption that whatever you're doing to automate security for the rest of your environment will apply to your virtual machines, because by default, it won't. For instance, if you are using a vulnerability scanner on your network, which you should be doing, it's not going to pick up the virtual machines on your network unless you configure your VM host to allow it to do so. This configuration is not something that's enabled by default, in general, so you have to keep it in mind. The scanner might detect that you have virtual machines but not be able to detect vulnerabilities on them without further configuration. Even so, the components that allow for the visibility you need might not be available on all versions of the virtual platform. If you're running enterprise-level server farms, then you should be fine; you should be able to configure the virtual switches to allow for network scanner and IDS visibility. But what if some of your technicians are running virtual labs off their desktop machines using a non-enterprise level platform? Not only will they be less likely to have hardened the host machine (although, certainly, it should conform to your desktop policies at least), but your scanners are not going to have visibility into the virtual networks. And unless you have some kind of managed desktop solution, you can't prevent them from running that type of virtual lab environment. If virtual machines are communicating with the Internet or otherwise network-accessible, it's also possible to fall victim to a type of attack known as “VM escape”, where an attacker uses malicious code to “break out” of the virtual environment and access the underlying host, giving him access to all the other virtual machines on that host and access to your network as well. So in a worst-case scenario, let's say that you have a server farm where even just one virtual machine access the Internet for whatever reason, and is attacked in this way. Suddenly the attacker has access to your entire server farm, which, unless it's successfully isolated from the rest of your network, can give him full network access as well. Or, back to the example of the technician with the virtual lab, now your desktops are compromised. Obviously I am simplifying the possible scenarios, and certainly there are patches and hardening techniques that are available to combat the security issues that come with virtualizing your enterprise. But keep in mind that virtualization is not merely a matter of economics; it needs to be part of your security strategy as well.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.